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We introduce event identifier logic (EIL) which extends Hennessy-Milner logic by the addition of 
(1) reverse as well as forward modalities, and (2) identifiers to keep track of events. We show 
that this logic corresponds to hereditary history-preserving (HH) bisimulation equivalence within 
a particular true-concurrency model, namely stable configuration structures. We furthermore show 
how natural sublogics of EIL coiTespond to coarser equivalences. In particular we provide logical 
characterisations of weak history-preserving (WH) and history-preserving (H) bisimulation. Logics 
corresponding to HH and H bisimulation have been given previously, but not to WH bisimulation 
(when autoconcuiTency is allowed), as far as we are aware. We also present characteristic formulas 
which characterise individual structures with respect to history-preserving equivalences. 

1 Introduction 

The paper presents a modal logic that can express simple properties of computation in the true concur- 
rency setting of stable configuration structures. We aim, like Hennessy-Milner logic (HML) [19| in the 
interleaving setting, to characterise the main true concurrency equivalences and to develop characteristic 
formulas for them. We focus in this paper on history-preserving bisimulation equivalences. 

HML has a "diamond" modahty {a)(j) which says that an event labelled a can be performed, taking 
us to a new state which satisfies <p. The logic also contains negation (-■), conjunction (A) and a base 
formula which always holds (It). HML is strong enough to distinguish any two processes which are not 
bisimilar. 

We are interested in making true concurrency distinctions between processes. These processes will 
be event structures, where the current state is represented by the set of events which have occurred so 
far. Such sets are called configurations. Events have labels (ranged over by a,b,...), and different events 
may have the same label. We shall refer to example event structures using a CCS -like notation, with 
a I b denoting an event labelled with a in parallel with another labelled with b, a.b denoting two events 
labelled a and b where the first causes the second, and a + b denoting two events labelled a and b which 
conflict. 

In the true concurrency setting bisimulation is referred to as interleaving bisimulation, or IB for short. 
The processes a \ b and a.b + b.a are interleaving bisimilar, but from the point of view of true concurrency 
they should be distinguished, and HML is not powerful enough to do this. 

We therefore look for a more powerful logic, and we base this logic on adding reverse moves. Instead 
of the one modality {a) (p we have two: forward diamond (a)) (/> (which is just a new notation for the (a) (p 
of HML) and reverse diamond {{a) (p. The latter is satisfied if we can reverse some event labelled with 
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a and get to a configuration wiiere (j) iiolds. Sucii an event would have to be maximal to enable us to 
reverse it, i.e. it could not be causing some other event that has already occurred. 

With this new reverse modality we can now distinguish a \ b and a.b + b.a: a \ b satisfies {a)) (b)) {{a)t, 
while a.b + b.a does not. The formula expresses the idea that a and b are concurrent. Alternatively we 
see that a.b + b.a satisfies {a)) {b)) -'{{a)tt, while a \ b does not. This latter formula expresses the idea that 
a causes b. 

The new logic corresponds to reverse interleaving bisimulation |[3TI . or RI-IB for short. In the ab- 
sence of autoconcurrency, Bednarczyk [31 showed that this is as strong as hereditary history-preserving 
bisimulation |3], or HH for short, which is usually regarded as the strongest desirable true concurrency 
equivalence. HH was independently proposed in [2Tj, under the name of strong history-preserving bisim- 
ulation. 

Auto-concurrency is where events can occur concurrently and have the same label. To allow for 
this, we need to strengthen the logic. For instance, we want to distinguish a \ a from a.a, which is not 
possible with the logic as it stands: (a)) {a)) {{a)tL is satisfied by both processes. We need some way of 
distinguishing the two events labelled with a. We change our modalities so that when we make a forward 
move we declare an identifier (ranged over hy x,y,...) which stands for that event, allowing us to refer to 
it again when reversing it. Now we can write {x : a)) {y : a)) {{x)t, and this is satisfied by a | a, but not by 
a.a. Declaration is an identifier-binding operation, so that x and y are both bound in the formula. Baldan 
and Crafa [2J also used such declarations in their forward-only logic. 

With this simple change we now have a logic which is as strong as HH, even with autoconcurrency. 

We have to be careful that our logic does not become too strong. For instance, we want to ensure that 
processes a and a + a are indistinguishable. One might think that a + a satisfies {x : a)) {{x) (y : a))-'{{x)tL, 
while a does not. To avoid this, we need to ensure that x is forgotten about once it is reversed, and so 
cannot be used again. One could make a syntactic restriction that in a formula ((x) (p the identifier x is not 
allowed to occur (free) in (p. However this is not actually necessary, as our semantics will ensure that all 
identifiers must be assigned to events in the current configuration. So in fact (x : a)){{x){y : a))-i((x)tt is 
not satisfied by a + a, since we are not allowed to reverse x as it would take us to a configuration where x 
is mentioned in (y : a))-i((x)tt but x is assigned to an event outside the current configuration. Baldan and 
Crafa m also had to deal with this issue. 

Our logic is not quite complete, since we wish to express certain further properties. For instance, we 
would like to express a reverse move labelled with a, i.e. {{a) (p. Instead of adding this directly, we add 
declarations {x : a)ip. We can now express {{a)<p by the formula (x : a){{x)(p (where x does not occur 
(free) in 0). 

We also wish to express so-called step transitions, which are transitions consisting of multiple events 
occurring concurrently. For instance a forward step {a, a)) <p of two events labelled with a can be achieved 
by (x : a))(y : a)){<p A ((x)tt) and areverse step {{a,a)(j) can be achieved by (x :a){y : a){{{x){{y)(l) A ((3')lt) 
(both formulas with x and y not free in 0). Thus the reverse steps employ declarations. As well as 
expressing reverse steps, declarations allow us to obtain a sublogic which corresponds to weak history- 
preserving bisimulation (WH). 

This completes a brief introduction of our logic, which we call Event Identifier Logic, or EIL for 
short. Apart from corresponding to HH, EIL has natural sublogics for several other true concurrency 
equivalences. Figure [T] shows a hierarchy of equivalences that we are able to characterise, where arrows 
denote proper set inclusion. Apart from the mentioned HH and WH, history-preserving bisimulation (H) 
is a widely studied equivalence that employs history isomorphism. Hereditary weak-history preserving 
bisimulation (HWH) is WH with the hereditary property IS that deals with reversing of events. The 
definitions of these equivalences can be found in |[T2ll3Tl . and are outlined in Section [3^ 
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Figure 1: The hierarchy of history-preserving equivalences. 

It is natural to ask if, at least for a finite structure, there is a single logical formula which captures all 
of its behaviour, up to a certain equivalence. Such formulas are called characteristic formulas. They have 
been investigated previously for HML and other logics |[T6l [35l rU. We look at characteristic formulas 
with respect to three of the equivalences we consider, namely HH, H and WH. 

The main contribution of the paper is a logic EIL. It could be argued that EIL is a natural and 
canonical logic for the true concurrency equivalences considered here in the following sense. Firstly, its 
forward and reverse modalities capture faithfully the information of the forward and reverse transitions 
in the definitions of the equivalences. Secondly, event identifier environments and event declarations give 
rise naturally to order isomorphisms for HH, H, HWH and WH. Finally, EIL extends HML and keeps 
with its spirit of having simple modalities defined seamlessly over a general computation model. 

Other contributions include the first to our knowledge logics for WH and HWH. Finally, we present 
the first to our knowledge characteristic formulas for HH, H and WH. 

The paper is organised as follows. We look at related work in Section|2] Then we recall the definitions 
of configuration structures and the bisimulation-based equivalences that we shall need in Section [3] We 
then introduce EIL in Section |4l giving examples of its usage. Next we look at how to characterise 
various equivalences using EIL and its sublogics (Section |5l). In Section [6] we investigate characteristic 
formulas. We finish with conclusions and future work. 

2 Related work 

Previous work on logics for true concurrency can be categorised loosely according to the type of semantic 
structure (model) that the satisfaction relation of the logic is defined for. There are logics over config- 
urations (sets of consistent events) iflSl l2l and logics over paths (or computations) |[5l l27l l28l |29l [32]| . 
although logics in 1271 l28l l29l can be seen also as logics over configurations. Other structures such as 
trees, graphs and Kripke frames are used as models in, for example, l26l l25l[T7l[T8l . 

The logic in this paper uses simple forward and reverse event identifier modalities that are sufficient 
to characterise HH. In contrast, Baldan and Crafa |2| achieved an alternative characterisation of HH 
with a different modal logic that uses solely forward-only event identifier modalities (x) and {x,y < az)- 
The formula {x,y < az)^ holds in a configuration if in its future there is an a -labelled event e that can 
be bound to z, and holds. Additionally, e must be (1) caused at least by the events already bound 
to the events in x and (2) concurrent with at least the events already bound to the events in y. Several 
interesting sublogics were also identified in 121 that characterise H, pomset bisimulation |@1 [121 and step 
bisimulation ll33l [T2l respectively. 

Goltz, Kuiper and Penczek 1 15 1 researched configurations of prime event structures without autocon- 
currency. In such a setting HH coincides with reverse interleaving bisimulation RI-IB (shown in 01). 
Moreover, H coincides with WH. Partial Order Logic (POL) is proposed in [15|. POL contains past 
modalities and the authors stated that it characterises RI-IB (and thus HH). Also, it is conjectured that if 
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one restricts POL in such a way that no forward modalities can be nested in a past modality, then such a 
logic characterises H (and thus WH). 

Cherief [5 1 defined a pomset bisimulation relation over paths and shows that it coincides with H (de- 
fined over configurations). The author then predicted that an extension of HML with forward and reverse 
pomset modalities characterises H. This idea was then developed further by Pinchinat, Laroussinie and 
Schnoebelen in [32]. 

Nielsen and Clausen defined a 5 -bisimulation relation (5b) over paths i27l[29l . Unlike in 121 [32l, one 
is allowed to reverse independent maximal events in any order. This seemingly small change has a pro- 
found effect on the strength of the equivalence: 5b coincides with HH. It was shown that an extension of 
HML with a reverse modality characterises HH when there is no autoconcurrency Il27l l29l. Additionally, 
it was stated (without a proof) [28] that an extension of HML with a reverse event index modality char- 
acterises HH even in the presence of autoconcurrency. The notion of paths used in ll27l l28l l29l induces 
a notion of configuration. Hence, their logics could be understood as logics over configurations and re- 
verse index modality could be seen as a form of our reverse event identifier modality. We would argue, 
however, that many properties of configurations related to causality and concurrency between events are 
expressed more naturally with reverse identifier modalities. 

Past or reverse modalities, which are central to our logic, were used before in a number of modal 
logics and temporal logics 1201 Ul El |26l [HI |23l HH |30l but only l26l [151 proposed logical characterisa- 
tions of true concurrency equivalences. Among the rest, HML with backward modalities in 171[6]| defined 
over paths is shown to characterise branching bisimulation. Finally, Gutierrez introduced a modal logic 
for transition systems with independence ITTl [TSl that has two diamond modalities: one for causally 
dependent transitions and the other for concurrent transitions with respect to a given transition. 

3 Configuration structures and equivalences 

In this section we define our computational model (stable configuration structures) and the various bisim- 
ulation equivalences for which we shall present logical characterisations. 

3.1 Configuration structures 

We work with stable configuration structures lT3l [T4l [121 . which are equivalent to stable event struc- 
tures L36|. 

Definition 3.1. A configuration structure (over an alphabet Act) is a pair ^ = {C,i) where C is a family 
of finite sets (configurations) and £ : Uxec^ ~^ ^ labelling function. 

We use Og^i^ to refer to the two components of a configuration structure . Also we let E^g = 
Uxec^' events of ^. We let e,... range over events, and E,F, . . . over sets of events. We let a,b,c,... 
range over labels in Act. 

Definition 3.2 (113). A configuration structure ^ = {C,£) is stable if it is 

• rooted: G C; connected: / X G C implies 3e eX :X\{e} eC; 

• closed under bounded unions: if X,y,Z G C then X U 7 C Z implies X UF G C; 

• closed under bounded intersections: if X, F,Z G C then X U F C Z implies X n F G C. 

Any stable configuration structure is the set of configurations of a stable event structure lT2l Thm 5.3]. 
Definition 3.3. Let ^ = (C, i) be a stable configuration structure, and let X G C. 
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• Causality: d <x e iff for all 7 G C with 7 C X we have e G 7 implies d . Furthermore d <x e 
iff d <x e and d ^ e. 

• Concurrency: d cox e iff d ^tx e and e ^x d. 

It is shown in flT] that <x is a partial order and that the sub-configurations of X are precisely those 
subsets Y which are left-closed w.r.t. <x, i.e. if d <x e £Y then d ^Y. Furthermore, if X,Y G C with 
F CX, then <y = <x\Y. 

Recall that a prime event structure is a set of events with a labelling function, together with a causality 
relation and a conflict relation (between events that cannot be members of the same configuration) 136]. 
The set of configurations of a prime event structure forms a stable configuration structure; prime event 
structures are a proper subclass of stable event structures. All of our examples are given as prime event 
structures or the corresponding CCS expressions. When drawing diagrams of prime event structures we 
shall, as usual, depict the causal relation with arrows, and the conflict relation with dotted lines. We shall 
also suppress the actual events and write their labels instead. Thus if we have two events ei and 62, both 
labelled with a, in diagrams we shall denote them as a\ and az, respectively, when we wish to distinguish 
between them. This is justified, since all the notions of equivalence we shall discuss depend on the labels 
of the events, rather than the events themselves. 

Example 3.4. Consider a prime event structure with events ei, 62,63 all labelled with a, where ei causes 
62 and 61,62 are concurrent with 63. The corresponding CCS expression is (a.a) \ a. The set of configu- 
rations consists of 0, {61}, {63}, {61, 62}, {61,63} and {^1,^2,^3}. 

Definition 3.5. Let = {C,i) be a stable configuration structure and let a G Act. We let X A-c^ X' iff 
X,X' gCXCX' and X' \X = {e}. Furthermore we let X X' iff X 4<:^ X' for some 6 with £{6) = a. 
We also define reverse transitions: X -^'g X' iff X' X, and X X' iff X' -%^g X. The overloading of 
notation whereby transitions can be labelled with events or with event labels should not cause confusion. 

For a set of events E,\eX 1(E) be the multiset of labels of events in E. We define a st6p transition 
relation where concurrent events are executed in a single step: 

Definition 3.6. Let = {C,£) be a stable configuration structure and let A G N''^'^* (A is a multiset over 
Act). We let X X' iff G C, X C X', and X' \ X = £ with d cox' e for ah d,6^E and i{E) = A. 

We shall assume in what follows that stable configuration structures are imag6 finit6 with respect to 
forward transitions, i.e. for any configuration X and any label a, the set {X' : X -^^g X'} is finite. 

3.2 Equivalences 

We define history-preserving bisimulations and illustrate the differences between them with examples. 

Definition 3.7. Let ^ = {X,<x,(-x) and = (F, <y,£y) be partial orders which are labelled over Act. 
We say that ^ and are isomorphic (X = Y) iff there is a bijection from X to F respecting the ordering 
and the labelling. The isomorphism class [^]-^ of a partial order labelled over Act is called a pomsct 
over Act. 

Definition 3.8 (HI [121). Let !3 be stable configuration structures. A relation C C<^ x is a W6ak 
history-pr6S6rving (WH) bisimulation between and & if ^(0,0) and if M{X,Y) and a G Act then: 

• {X,<x,£^g \X)^{Y,<Y,£& \Y); 

• ifX Ac^X'then 3Y' . Y AojY' and^(X',F'); 

• \fY Aoj Y' then 3X'. X A%r X' and ^(X',F'). 
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Figure 2: Example |3.12| 

We say that ^ and ^ are WH equivalent {'la s^wh ^) iff there is a WH bisimulation between and 
Definition 3.9 (IMl Ull). Let & be stable configuration structures. A relation ^ C C<y x x 
S^{Ecg X S^) is a history -preserving (H) bisimulation between ^ and ^ iff ^(0,0,0) and if M{X,Y,f) 
and a G Act 

• / is an isomorphism between (X, <x,^<ir \X) and (F, <y,^;^ f F); 

• ifXA^X'then3F',/'.F A5^F',^(X',y',/')and/' \ X = f; 

• ifY -^^Y' then3X',f'.X A^^'X',^{X',Y',f) and f \X = f. 

We say that ^ and ^ are H equivalent f«h ^) iff there is an H bisimulation between ^ and ^. 

Both H and WH have associated hereditary versions: 
Definition 3.10 (Il3l|211[l2l). Let "^j^ be stable configuration structures and let a G Act. Then ^ C 

xCcgx 3^{E% xE^) is a hereditary H (HH) bisimulation iff ^ is an H bisimulation and if ^(X,F,/) 
then for any a G Act, 

• if X X' then 37',/'. Y A^ Y', M{X\Y' J') and / f X' = /'; 

• ify A^F'then3X',/'.X A^X',^(X',F',/') and/ [■X' = /. 

We say that ^ and ^ are HH equivalent ("^ ss^h ^) iff there is an HH bisimulation between ^ and 
Definition 3.11. Let & be stable configuration structures and let a G Act. Then M C x x 
g^{E^g X Eoj) is a hereditary WH (HWH) bisimulation if ^(0,0,0) and if .^(X,7,/) and a G Act then: 

• / is an isomorphism between (X^<x-,i^g \X) and {Y,<y,1^ \ ^)\ 

• if X %-gX' then 37',/'. Y ^oj Y' and ^(X',F',/'); 

• if y A,^ Y' then 3X',/'. X A^^ X' and ^(X',F',/'); 

• if X A.^ X' then 37',/'. 7 A^ 7', ^(X',7',/') and / f X' = /'; 

• if 7 A^ 7' then 3X',/'. X Ac^X', ^(X',7',/') and / f X' = /'. 

Also 'tf and are HWH equivalent Whwh ^) iff there is an HWH bisimulation between 'tf and ^. 

The inclusions in Figure [T] are immediate from the definitions. They are strict inclusions: 
Example 3.12 ([31]). Consider event structures (f , ^ in Figure |2l where each event structure has four 
a-labelled and four Z^-labelled events. £ = holds for ~hwh . and hence for ^y^h > but not for f«h > and 
hence not for ■ We now show this. ^ have the same configurations except that {02,03,^3} is 
missing in We define a bisimulation by relating all isomorphic states, and check that it is an HWH. 
To see that S" and ^ are not H-equivalent, consider A A {02,03} in This must be matched by 
moving to configuration {a,-,a,+i} in (f, where / G {1,2,3}. But then both bi and bi+i are possible. 
However {02,03} in ^ can only do b2. Hence one of the bj and bi+i in co cannot be matched to b2 in 
such way that the resulting isomorphism contains the already established pairs (either (02,0,), (03,0,+ 1) 
or (o2,o,+i), (03,0,)) and is history-preserving. 
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Example 3.13. The Absorption Law Bl[3l[T2]| 

{a\{b + c)) + {a\b) + {{a + c)\b) = {a\{b + c)) + {{a + c)\b) 
holds for > and thus for f^wh > but not for ~hwh ■ 

4 Event Identifier Logic 

We now introduce our logic, which we call Event Identifier Logic (EIL). We assume an infinite set of 
identifiers Id, ranged over by x,y,z, The syntax of EIL is as follows: 



We include the usual operators of propositional logic: truth tt, negation -^<p and conjunction (p A<p'. We 
then have forward diamond {x : a))0, which says that it is possible to perform an event labelled with a 
and reach a new configuration where holds. In the formula (x :a))<p, the modality {x : a)) binds all free 
occurrences of x in 0. Next we have declaration (x : a)0. This says that there is some event with label 
a in the current configuration wliich can be bound to x, in such a way that <p holds. Here the declaration 
(x : a) binds all free occurrences of x in 0. Finally we have reverse diamond {{x)<p. Tliis says that it 
is possible to perform the reverse event bound to identifier x, and reach a configuration where (j) holds. 
Note that ((x) does not bind x. Clearly any occurrences of x that get bound by (x : a) must be of the form 
((x). We allow alpha-conversion of bound names. We use 0, . . . to range over formulas of EIL. 

Example 4.1. The formula (x : a))(y : fl;))((x)tt says that there are events with label a, say ei and e2, that 
can be bound to x and y such that, after performing e\ and then e2, we can reverse e^. Obviously, after 
performing ei followed by e2, we can always reverse e2- Tliis formula could be interpreted as saying that 
an event bound to x is concurrent with an event bound to y. Next, consider (x : a))iy : fl;))-i((x)tt. The 
formula expresses that an event bound to x causes an event bound to y (because if we could reverse x 
before y, we would reach a configuration containing y and not x, which contradicts x being a cause of y). 

Definition 4.2. We define fi(0), the set of free identifiers of 0, by induction on formulas:. 



We say that is closed if fi(0) = 0; otherwise is open. 

In order to assign meaning to open formulas, as usual we employ environments which tell us what 
events the free identifiers are bound to. 

Definition 4.3. An environment p is a partial mapping from Id to events. We say that p is a permissible 
environment for <p and X if fi(0) C dom(p) and rge(p \ fi((^>)) C X. 

We let denote the empty environment. We let p[x i— )• e] denote the environment p' which agrees 
with p except possibly on x, where p'(x) = e (and p(x) may or may not be defined). We abbreviate 
0[x 1-^ e] by [x I-)- e]. We let p \x denote p with the assignment to x deleted (if defined in p). 

Now we can formally define the semantics of EIL: 

Definition 4.4. Let be a stable configuration structure. We define a satisfaction relation 'tf,X,p \= (p 
where X is a configuration of 'tf, and p is a permissible environment for <p and X, by induction on 
formulas as follows (we suppress the where it is clear from the context): 



(j) ::= tt I -10 I A 0' I (x : a))(j) \ (x : a)(p \ ((x)0 



fi(tt) =0 
fi(-0)=fiW 



fi(0i A ^2) = fi(0i) U fi(02) fi((x : = fi(0) \ {x} 
fi((x : a))(P) = m \ {x} fi(((x)0) = m U {x} 
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• X,p \=U. always 

• X,p ^-0iffX,p ^(/) 

• X,p \=(pi A(p2 iffX,p \= 01 andX,p \= ^2 

• X,p \= {x: a))^ iff 3X',e such that X X' with £{e) = a and X',p [x^e] \= (j) 

• X , p \= {x : a)<p iff 3e G X such that i{e) = a and X,p[x\-^ e] \= (p 

• X,p \= iff 3X',e such that X X' with p{x) = e and X',p ^0 (and p is a permissible 
environment for <p and X') 

For closed we further define \= iff "^.X,© ^ 0, and ^ iff ^,0^0. 

In the case of {{x)(p, note that even though according to the syntax x is allowed to occur free in 0, if 
X does occur free in then X,p \= {{x)(p can never hold: if p(x) =e andX -w.;^ X' then X',p |= cannot 
hold, since p is not a permissible environment for and X', as p assigns a free identifier of to an event 
outside X'. 

Example 4.5. Consider the configuration structure from Example 13.41 The empty configuration sat- 
isfies (x : a)){y : a)){{x)tt: we have 0,0 \= {x : a)){y : a))((x)tt since {^1,^3}, [x H> ^1,3; i-^> ^3] ^ ((■^)tt; 
the latter holds because {£1,^3} {^3} and p(x) = ei. Also, 0,0 |= (x : a)){y : <3))-i((x)tt. We have 
0,0 1= (x : a)){y : a))-i((x)tt since {^1,^2}, [x 1-^ i-)- ^2] |= ~'((-'c)tt. This is because {^1,^2} 7^ {^2} as 
{^2} is not a configuration. 

The closed formula (x : a)tt says that there is some event labelled with a in the current configuration: 
X ^ (x : a)lt iff 3e € X. i{e) = a. Returning to Example 13 .41 note that as well as {€1,62}, [x H- H- 
€2] \= ~'{{x)tL this also holds: {^1,^2}! [x ^ ei,y 1-^ 62] \= (x : a)((x)tt. By the definition of (x : a), the 
current environment is updated to [x 1-^ 62, y ^ ^2] and we obtain {^1,^2}, [x 1-^ 62, y ^ ^2] \= {{x)tt. Cor- 
respondingly, {^1,^2}, [x ^ ei,y^ €2] \= (x : a){{x){y : a)((3')tt. However, {ei,e2}, [x ei,y^ 62] ^ 
(x : a)((x)((3;)tt since {ei}, [x H> e2,y ^ £2] ^ ((j)!!- 

We introduce further operators as derived operators of EIL: 
Notation 4.6 (Derived operators). Let A = {ai , . . . , a„ } be a multiset of labels. 

• ff = -.tt, [x ■.a\]<p= -.(x : a))^(p, 0i V 02 = "'(-'01 A -.02) 

• Forward step (A))0 = (xi : ai)) • • • (x„ : a„))(0 A A"=r/ ((■^(■)tt) where fresh and distinct 
(and in particular are not free in 0). We write (<3i, . . . ,a„))0 instead of ({ai , . . . ,a„}))0. In the case 

n = 1 we have (a))0 = {x: a))^ where x is fresh. 

• Reverse step ((A)0 = (xi : ai) • • • (x„ : a„)(((xi) • • • ((x„)0 A A'i=2{{^i)^) where fresh 
and distinct (and in particular are not free in 0). We write ((ai, . .. ,an)<p instead of {{{ai , . . . ,a„})0. 
In the case « = 1 we have {{a) = (x : a) ((x) where x is fresh. 

Example 4.7. Consider S', ^ in Figure [2] and = [x : a]] : a]] ((z : Zj))^((x)tt A (w : h))^(ly)t). We 
easily check that S satisfies and ^ does not. Next, consider i//^ = (x : a)) ( [w : c]] ff A (3^ : h)) ((x) [z : c]] 
ff). Then the LHS structure of the Absorption Law in Example 13.131 satisfies \\f and the RHS does 
not. Strictly speaking, event identifiers are not necessary to distinguish the two pairs of configuration 
structures. A formula with simple label modalities («))( [c]] ff A {b)){{a) [c]] ff) is sufficient for the the 
Absorption Law, and S", ^ in Figure |2] can be distinguished by a logic with pomset modalities (both 
reverse and forward) defined over runs ll5l[32l. 
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a4- ■ af. 



Figure 3: Example [4 



Example 4.8. Consider , ^ in Figure [3] There is a non-binary conflict among the three initial a- 
events (indicated by a dashed ellipsis) defined by requiring that at most two of these events can appear 
in any configuration. S' and ^ are H equivalent: we define a bisimulation by relating configurations 
of identically labelled events (including where 04 is matched with a'^) and check that it is an H. The 
structures are also HWH equivalent. This time we define a bisimulation between order isomorphic 
configurations (of which there only five isomorphism classes: 0, {a}, {a, a}, {a < a} and {a < a, a}, 
where events separated by commas are concurrent) and check that it is an HWH. However, and ^ 
are not HH equivalent and event identifiers are indeed necessary to distinguish them. The formula 
(x : a)){y : a))(-((x)tt A (z : a)){{y){w : a))^((z)tt A (z' : a)){{y)^{w' : a))^{{z')t) is only satisfied by rf. It 
requires that x causes y and that z and z' are bound to different events because (z : a)) and {z' : a)) are 
followed by mutually contradictory behaviours. This is possible in {a\,a4 can be followed by either 
^3 or 02) but not in ^: none of the pairs of causally dependent events offers two different a-events. 

5 Using EIL to characterise equivalences 

We wish to show that EIL and its various sublogics characterise the equivalences defined in Section [l!2l 
Each sublogic of EIL induces an equivalence on configuration structures in a standard fashion: 

Definition 5.1. Let L be any sublogic of EIL. Then L induces an equivalence on stable configuration 
structures as follows: ^^'3 iff for all closed <p € Lwe have '^\=^iff^^\=<p. 

First we introduce a simple sublogic that allows us to characterise order isomorphism. 
5.1 Reverse-only logic and order isomorphism 

We define sublogics of EIL, consisting of formulas where only reverse transitions are allowed. 
Definition 5.2. Reverse-only logic EILro: 

::= tt [ -.0 I A 0' I (x : a)0 I ((x)0 

We further define declaration-free reverse-only logic EILdfro : 

::=tt I -.0 I A0' I ((x)0 

These logics are preserved between isomorphic configurations, and characterise configurations up to 
isomorphism. 

Lemma 5.3. Let 'if, QJ he stable configuration structures, and let X,Y be configurations of^, Ql respec- 
tively. Suppose that f : X = Y. Then for any (j) G EILj-o, and any p (permissible environment for and 
X), we haveX,p \= <p iffYJop^ \= (p. 
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Recall that is an abbreviation for p f fi(0). Function composition is in applicative rather than 
diagrammatic order. 

Given any configuration X we can create a closed formula dx G ElLm which gives the order structure 
of X. We make this precise in the following lemma: 

Lemma 5.4. Let X be a configuration of a stable configuration structure There is a closed formula 
dx G EILj-o, such that ifY is any configuration of a stable configuration structure and \i\ = \X\, then 
Y^XiffY^dx. 

The next lemma follows fairly immediately from the proof of Lemma [S!4l and from Lemma [531 

Lemma 5.5. LetX be a configuration of a stable configuration structure Let {ze '■ e (z X} be distinct 
identifiers. Let the environment px be defined by Px(Ze) = e (e G Xj. There is a formula £ EILdfro 
with fi(0') = {ze '■ e E X}, such that X,Px \= 0^ and ifY is any configuration of a stable configuration 
structure & and \Y\ = \X\, then Y =X iff3p.Y,p ^ O^. 

5.2 Logics for history-preserving bisimulations 

We start by showing that EIL characterises HH-bisimulation. We then present sublogics of EIL which 
correspond to H-bisimulation, WH-bisimulation and HWH-bisimulation. 

Our first result is related to the result of ll28l that a logic with reverse event index modality (discussed 
above in Section |2l) characterises HH. 

Theorem 5.6. Let 'rf, be stable configuration structures. Then, ~hh ^ if and only if^ ~eil ^■ 

Remark 5.7. In fact Theorem 1 5 . 6 1 would hold with the logic restricted by not using declarations (x : a)0. 
However we include declarations in EIL because they are useful in defining sublogics for WH, among 
other things. 

We define a sublogic of EIL which characterises history-preserving bisimulation: 
Definition 5.8. EILh is given as follows, where 0r is a formula of EILjo: 

::= It I -10 I A 0' I (x : a))<^ \ (x : a)<^ \ (p^ 

EILh is just EIL with ((x : a)^ replaced by 0,- G EILj-q. Thus one is not allowed to go forward after 
going in reverse. This concept of disallowing forward moves embedded inside reverse moves appears 
inini. 

Theorem 5.9. Let ^ be stable configuration structures. Then, 'if if and only if^ ~EiLh ^■ 
Remark 5.10. Just as for Theorem 15. 6[ Theorem [5]9] would still hold if we disallow declarations (x : a)0. 
This gives the following more minimal logic, where 0^ G EILdfro- 

::= It I -,0 I A 0' I (x : | (pr 

We define a sublogic EIL^h of EILh which characterises weak history-preserving bisimulation. We 
get from EILh to EIL^h by simply requiring that all formulas of EIL^h are closed. 

Definition 5.11. EIL^h is given as follows, where (pre is a closed formula of EILj-o (Definition 15.21 ): 

::=tt I -.0 I A0' I {a))(p \ (pre 

In the above definition we write {a))(p rather than (x : a))(p since (p is closed and in particular x does 
not occur free in (p (Notation 14.61) . Also we omit declarations {x: a)(p since they have no effect when ^ 
is closed. Of course declarations can occur in ^rc- 
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Theorem 5.12. Let ^ be stable configuration structures. Then, ~vvh ^ ijf^ ~EiL„h ^■ 

We believe that EIL^h is the first logic proposed for weak history-preserving bisimulation with au- 
toconcurrency allowed. Goltz et al. ifTSll described a logic for weak history-preserving bisimulation 
with no autoconcurrency allowed, but in this case, weak history-preserving bisimulation is as strong as 
history -preserving bisimulation lfT2l . 

Just as we weakened EILh to get EIL^h we can weaken EIL by requiring that forward transitions 
{x : a))^ are only allowed if is closed. Again instead of (x : a))(p we write {a))<p. This gives us EILhwh^ 

Definition 5.13. EILhwh is given below, where 0^. ranges over closed formulas of EIL^wh- 

::= tt I -.0 I A 0' I (a))0c I {x ■ a)<p \ {{x}^ 

Plainly EILwh is a sublogic of EILhwh as well as of EILh. 

Theorem 5.14. Let & be stable configuration structures. Then, ~hwh ^iff'^ ~EiLi,„h ^■ 

With no (equidepth) autoconcurrency, we know that ~hwh is as strong as s^hh SISIl. So EILhwh is 
as strong as EIL in this case. 

6 Characteristic formulas 

In this section we investigate characteristic formulas for three of the equivalences we have considered, 
namely HH, H and WH. The idea is that we reduce checking whether and ^ satisfy the same formulas 
in a logic such as EIL to the question of whether & satisfies a particular formula X'^i', the characteristic 
formula of 'tf, which completely expresses the behaviour of 'rf, at least as far as the particular logic 
is concerned. As pointed out in |1|, this means that checking whether two structures are equivalent is 
changed from the problem of potentially having to check infinitely many formulas into a single model- 
checking problem \= Xv- 

Characteristic formulas for models of concurrent systems were first investigated in [16], and subse- 
quently in 1 351 and other papers — see UJ for further references. As far as we are aware, characteristic 
formulas have not previously been investigated for any true concurrency logic, although we should men- 
tion that in HI characteristic formulas are studied for a logic with both forward and reverse modalities, 
related to the back and forth simulation of [6]. 

We shall confine ourselves to finite stable configuration structures in this section. Even with this 
assumption, it is not obvious that an equivalence such as HH, which employs both forward and reverse 
transitions, can be captured by a single finite-depth formula. To show that forward and reverse transitions 
need not alternate for ever, we first relate HH to a simple game. 

Definition 6.1. Let Q be finite stable configuration structures. The game G^^, ^) has two players: A 

(attacker) and D (defender). The set of game states is ^C^, = {(X,F,/) : X G Og^Y G C^,/ : X ^ 7}. 
The start state is (0,0,0). At each state of the game A chooses a forward (resp. reverse) move e of either 
or Q). Then D must reply with a corresponding forward (resp. reverse) move e' by the other structure. 
Going forwards we extend / to /' and going in reverse we restrict / to /', as in the definition of HH. The 
two moves produce a new game state (X',F',/'). Then D wins if we get to a previously visited state. 
Conversely, A wins if D cannot find a move. (Also D wins if A cannot find a move, but that can only 
happen if both and ^ have only the empty configuration.) 

It is reasonable that D wins if a state is repeated, since if A then chooses a different and better move 
at the repeated state, A could have chosen that on the previous occasion. 
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Definition 6.2. Given finite stable configuration structures let sC^,^) = \S{^,Si)\, let c('^) = 

max{|X| :X eC^}, and let c^r, ^) = min{c('^),c(^)}. 

Clearly any play of the game G{'io, S^) finishes after no more than s{'io , S^) moves. We can place an 
upper bound on s{'^ , as follows: 

Proposition 6.3. Let 'lo, & be finite stable configuration structures. Then s{^ , S>) < \Og \ .\C^ \ ■c{'to', &) !. 

Note that if there is no autoconcurrency, any isomorphism / : X = F is unique, and so we can improve 
the upper bound on the number of states to s{'io , < \Og\.\Cc0\. 

Proposition 6.4. Let be finite stable configuration structures. Then ^ f«hh ^ iff defender D has a 
winning strategy for the game G{'t^, 

Remark 6.5. Certainly game characterisations of HH equivalence have been used many times before; see 
e.g. ||9l[T0l[ITl|22l[lT|. However defender is usually said to win if the play continues for ever, whereas 
we say that defender wins if a state is repeated. This is because we are working with finite configuration 
structures, rather than, say, Petri nets. 

Definition 6.6. Let (p G EIL. The modal depth md(0) of <p is defined as follows: 

md(tt)= md(0 A0') = max(md((^)),md(0')) md{{x : a)^) = md{p) 

md(^0) = md(0) md((A: : a))0) = 1 + md(0) md(((x : = 1 + md(0) 

We can use the game characterisation of HH to bound the modal depth of EIL formulas needed to 
check whether finite structures are HH equivalent: 

Theorem 6.7. Let & be finite stable configuration structures. Then ^ ~hh ^W'^ '^^^ S) satisfy the 
same E]L formulas of modal depth no more than s{^ , Si) + c(^, S). 

We now define a family of characteristic formulas for HH equivalence, parametrised on modal depth. 

Definition 6.8. Suppose that Act is finite. Let ^ be a finite stable configuration structure. We define 
formulas Xx^n ^ configuration of by induction on n: 

Ix.o — ^X 

Here E EILdfro is as in Lemma[53]and \'\{Xx,n) = {Ze ■ e G X}. We further let x^^n = X^n- 
Note that Xx,„ e EIL and md(;t;^';'„) <n + cCT). 

Theorem 6.9. Suppose that Act is finite. Let ^ S be finite stable configuration structures. Let s = 
5(<r, S). Then ^^^^SiffS^ x^l, ■ 

Thus we do not have a single characteristic formula for , but we can deal uniformly with all S 
up to a certain size. This is almost as good as having a single characteristic formula for since we 
can generate a formula of the appropriate size once we have settled on 3), so that we have still reduced 
equivalence checking to checking a single formula. Single characteristic formulas are certainly possible 
for some ^s; there remains an open question of whether for all finite there is a single formula x^'g 
which works for all S. 

Matters are simpler for H and WH equivalences, since only forward transitions are employed. 



116 



A Logic with Reverse Modalities 



Definition 6.10. Suppose that Act is finite. Let 'rf he a finite stable configuration structure. We define 
formulas Xx ^ configuration of as follows: 

Here 6^ G ElLdfro is as in Lemma [53] We further let x^ — X@- 

Note that S ElLh; it is well-defined, since maximal configurations form the base cases of the 
recursion. Also md(;^^) < 2.c('^). 

Proposition 6.11. Suppose that Act is finite. Let ^ be finite stable configuration structures. Then 
^^^^iff&^X^e- 

WH is even easier as formulas are closed: 

Definition 6.12. Suppose that Act is finite. Let be a finite stable configuration structure. We define 
formulas Xx^ ^ configuration of as follows: 

xt" = ex A ( A {^))xi^) A ( A H] V ) 

Here dx G EILro is as in LemmaEl We further let x^^ = Zg'''- 

Note that Xv" ^ EIL^h and mdiXx"^) < l.c<(€). 
Proposition 6.13. Suppose that kzt is finite. Let .,01 be finite stable configuration structures. Then 

6 ^^u"^ iff & h Xt ■ 

7 Conclusions and future work 

We have introduced a logic which uses event identifiers to track events in both forwards and reverse 
directions. As we have seen, this enables it to express causality and concurrency between events. The 
logic is strong enough to characterise hereditary history-preserving (HH) bisimulation equivalence. We 
are also able to characterise weaker equivalences using sublogics. In particular we can characterise weak 
history-preserving bisimulation, which has not been done previously as far as we ai^e aware. We also 
investigated characteristic formulas for our logic with respect to HH and other equivalences. Again we 
are not aware of previous work on characteristic formulas for logics for true concurrency. 

Baldan and Crafa |T| gave logics for pomset bisimulation and step bisimulation; we have also been 
able to characterise these equivalences in our setting, but we had to omit this material for reasons of 
space. 

In future work we would like to (1) investigate general laws which hold for the logic, (2) look at 
sublogics characterising other true concurrency equivalences, including equivalences involving reverse 
transitions from |3i[31J, and (3) answer the open question raised in Section |6] about whether there is a 
single characteristic formula for a finite structure with respect to HH equivalence. 

Acknowledgements. We are grateful to Ian Hodkinson and the anonymous referees for helpful com- 
ments and suggestions. 
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